Skip to main content

Handling of WebAPI HTTP requests

Requests to the WebAPI are handled by the web server which is embedded in the OpenTalk controller. Each request is passed through some layers of middleware before they reach the handler that processes and answers it.

Details

HTTP server

The HTTP server receives the requests from the client and passes it on to the middlewares and endpoints.

Header request id middleware

This middleware adds a unique id to the request so that it can be tracked throughout the system. If the same header was already sent from the client, it will not be modified.

Tracing middleware

The tracing logger middleware captures structured request and response information and passes it on to the configured tracing subscriber. It does not apply any modifications to the request.

CORS enforcement middleware

This middleware refuses or allows requests based on the CORS policy of the web service. It does not apply any modifications to the request.

Request metrics middleware

This middleware records the handler duration for each request handler categorized by the HTTP response status. It does not apply any modifications to the request.

Signaling endpoint handler

Handles the requests to the WebSocket signaling endpoint which is responsible for processing the communication between clients and the controller during a meeting. The documentation of the protocol can be found in the Signaling section of the developer documentation.

Metrics endpoint handler

Endpoint to fetch collected metrics from the controller. The documentation can be found in the metrics section.

Depending on the corresponding configuration the endpoint handler itself will either return the contents or deny the request with the corresponding HTTP status code.

Public API endpoint handlers

These are API endpoints that are available to the public without authentication. They provide general information that the client needs to fetch upfront before logging in.

The endpoints are described in the OpenAPI specification.

Service auth middleware

Authenticates services using the claims provided in the OIDC access token.

Service endpoint handlers

These endpoints are for services that log in to meetings for providing functionality for the meeting, such as the OpenTalk Recorder or the OpenTalk Obelisk.

OIDC middleware

This middleware verifies that the OIDC JSON Web Token provided by the client is valid and contains the required information. It extracts information such as the user id and adds it to the request for the subsequent middlewares or request handlers.

In addition, it can authenticate through an invite code header for guest participants when no OIDC token is provided.

ACL middleware

The ACL middleware enforces access rules to the authenticated endpoints. The rules are stored in the casbin_rule database table. This is enforced by the Casbin rule enforcement engine, which is the base for the OpenTalk Controller rule enforcement system called kustos. When an endpoint is not allowed for access, the corresponding HTTP error status code is returned.

Authenticated API endpoint handlers

These are API endpoints that are only available after authentication.

The endpoints are described in the OpenAPI specification.